The problems lie in several signal handlers used by the program. By generating a signal while a signal handling operation is already in progress, an attacker could interrupt a non-reentrant libc function and enter it again from the handler. Precise timing in such an attack could possibly result in, for example, heap corruption or interruption during privilege lowering.

Conditions where these types of attacks may be possible are known to exist in procmail, which is installed setuid root and locally executable.